Bumps safer-eval from 1.2.3 to 1.3.6. This update includes security fixes.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.*
> **Moderate severity vulnerability that affects safer-eval**
> safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
>
> Affected versions: < 1.3.4
*Sourced from The GitHub Security Advisory Database.*
> **Moderate severity vulnerability that affects safer-eval**
> safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
>
> Affected versions: < 1.3.2
Commits
- [`d79adcf`](https://github.com/commenthol/safer-eval/commit/d79adcff94b7346faa402747a9c4c89381ddc850) 1.3.6
- [`fe26316`](https://github.com/commenthol/safer-eval/commit/fe26316d3d9f4151c1e2e86012a92492c571453d) docu: THIS MODULE IS HARMFUL
- [`6d5ed4b`](https://github.com/commenthol/safer-eval/commit/6d5ed4b90d676a10776b818dee84014dcd41e632) 1.3.5
- [`fbbc623`](https://github.com/commenthol/safer-eval/commit/fbbc623b7a6f6b9176dfed3f1c3d12ccc848f7b8) Merge pull request [#7](https://github-redirect.dependabot.com/commenthol/safer-eval/issues/7) from commenthol/strict-mode-recommendation
- [`1a87237`](https://github.com/commenthol/safer-eval/commit/1a8723704b30ac43c3c300223c6132e27b48fc21) fix: use strict mode recommendation
- [`b81dab9`](https://github.com/commenthol/safer-eval/commit/b81dab9c7ef88345e5e9a4490426ac171a489add) 1.3.4
- [`073267a`](https://github.com/commenthol/safer-eval/commit/073267ac30e67d3e5c1762c5d0373444ead61660) Merge pull request [#6](https://github-redirect.dependabot.com/commenthol/safer-eval/issues/6) from commenthol/fix-breakout-console
- [`25c3048`](https://github.com/commenthol/safer-eval/commit/25c304828b7fbfe228fbc9055f6004b181dd2c38) docu: Update tested browsers/ node versions
- [`25fbbe5`](https://github.com/commenthol/safer-eval/commit/25fbbe53e46c54d10b4c583b8f5c659933400ccb) fix: sandbox breakout with console.constructor...
- [`1ff9411`](https://github.com/commenthol/safer-eval/commit/1ff9411b4099e71798cfd822d5b0a536b39f31d5) chore: bump dependencies
- Additional commits viewable in [compare view](https://github.com/commenthol/safer-eval/compare/v1.2.3...v1.3.6)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot will not automatically merge this PR because it includes a minor update to a production dependency.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Bumps safer-eval from 1.2.3 to 1.3.6. This update includes security fixes.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.* > **Moderate severity vulnerability that affects safer-eval** > safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. > > Affected versions: < 1.3.4 *Sourced from The GitHub Security Advisory Database.* > **Moderate severity vulnerability that affects safer-eval** > safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. > > Affected versions: < 1.3.2Commits
- [`d79adcf`](https://github.com/commenthol/safer-eval/commit/d79adcff94b7346faa402747a9c4c89381ddc850) 1.3.6 - [`fe26316`](https://github.com/commenthol/safer-eval/commit/fe26316d3d9f4151c1e2e86012a92492c571453d) docu: THIS MODULE IS HARMFUL - [`6d5ed4b`](https://github.com/commenthol/safer-eval/commit/6d5ed4b90d676a10776b818dee84014dcd41e632) 1.3.5 - [`fbbc623`](https://github.com/commenthol/safer-eval/commit/fbbc623b7a6f6b9176dfed3f1c3d12ccc848f7b8) Merge pull request [#7](https://github-redirect.dependabot.com/commenthol/safer-eval/issues/7) from commenthol/strict-mode-recommendation - [`1a87237`](https://github.com/commenthol/safer-eval/commit/1a8723704b30ac43c3c300223c6132e27b48fc21) fix: use strict mode recommendation - [`b81dab9`](https://github.com/commenthol/safer-eval/commit/b81dab9c7ef88345e5e9a4490426ac171a489add) 1.3.4 - [`073267a`](https://github.com/commenthol/safer-eval/commit/073267ac30e67d3e5c1762c5d0373444ead61660) Merge pull request [#6](https://github-redirect.dependabot.com/commenthol/safer-eval/issues/6) from commenthol/fix-breakout-console - [`25c3048`](https://github.com/commenthol/safer-eval/commit/25c304828b7fbfe228fbc9055f6004b181dd2c38) docu: Update tested browsers/ node versions - [`25fbbe5`](https://github.com/commenthol/safer-eval/commit/25fbbe53e46c54d10b4c583b8f5c659933400ccb) fix: sandbox breakout with console.constructor... - [`1ff9411`](https://github.com/commenthol/safer-eval/commit/1ff9411b4099e71798cfd822d5b0a536b39f31d5) chore: bump dependencies - Additional commits viewable in [compare view](https://github.com/commenthol/safer-eval/compare/v1.2.3...v1.3.6)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot will not automatically merge this PR because it includes a minor update to a production dependency.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)